我正在尝试使用 PHP 通过 LDAP 编辑活动目录中的用户。我的测试机使用简单的 WAMP 设置,未连接到 Windows 域。此机器无需加密即可顺利连接到域控制器上的 LDAP。我反复尝试后仍无法通过 SSL 连接,但我能够让它使用 TLS(ldap_start_tls),这使我能够更改用户密码,这是最终目标。测试机上没有问题。
虽然实际的 Web 服务器是域的成员,但它拒绝工作。TLS 连接失败,域控制器报告 schannel 致命警报 48,这意味着证书链中有一个不受信任的根 CA。我已经在 Web 服务器上安装了证书,并在 Web 服务器和 DC 上安装了根 CA 证书,但无济于事。我不知道接下来该怎么办。
我做错了什么?为什么 LDAP over TLS 在域外的计算机上可以正常工作,但在域内的计算机上却不行?
最近,我一直在比较这 3 台机器上的证书和证书链。我发现的唯一区别是工作(非域)Web 服务器和 DC 上的证书链分为三个步骤:COMODO -> COMODO RSA 域验证安全服务器 CA -> 我的证书域上的 Web 服务器相同,只是所有内容都向下移动了一层,顶级证书显示“用户信任”
这个差异是否导致了这个问题?
在非工作网络服务器上对原始证书文件进行验证命令:发行者:
CN=COMODO RSA Domain Validation Secure Server CA
O=COMODO CA Limited
L=Salford
S=Greater Manchester
C=GB
Subject:
CN=cjtrainor.com
OU=COMODO SSL Unified Communications
OU=Domain Control Validated
Cert Serial Number: bd4d0f693ab0104ac9f1b45003d6138d
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 3 Days, 16 Hours, 4 Minutes, 14 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 3 Days, 16 Hours, 4 Minutes, 14 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited,
L=Salford, S=Greater Manchester, C=GB
NotBefore: 6/8/2015 8:00 PM
NotAfter: 11/1/2015 7:59 PM
Subject: CN=cjtrainor.com, OU=COMODO SSL Unified Communications, OU=Domain Con
trol Validated
Serial: bd4d0f693ab0104ac9f1b45003d6138d
SubjectAltName: DNS Name=cjtrainor.com, DNS Name=NewServer.cjtrainor.local, DN
S Name=cjtrainor.local
41 fb 61 2e db f5 76 49 05 1e a9 73 66 cc 10 4a 71 6c 9a 15
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
CRL (null):
Issuer: CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limite
d, L=Salford, S=Greater Manchester, C=GB
61 3b b6 5c 6f df 50 e7 9f 64 21 09 ab 11 8a f5 bc 11 5f 6c
Issuance[0] = 1.3.6.1.4.1.6449.1.2.2.7
Issuance[1] = 2.23.140.1.2.1
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford,
S=Greater Manchester, C=GB
NotBefore: 2/11/2014 8:00 PM
NotAfter: 2/11/2029 7:59 PM
Subject: CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited
, L=Salford, S=Greater Manchester, C=GB
Serial: 2b2e6eead975366c148a6edba37c8c07
33 9c dd 57 cf d5 b1 41 16 9b 61 5f f3 14 28 78 2d 1d a6 39
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
CRL (null):
Issuer: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salfor
d, S=Greater Manchester, C=GB
ca e2 4c d2 71 15 63 f3 a9 0f 6a fb 8c 60 7f 73 6b b9 b6 79
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford,
S=Greater Manchester, C=GB
NotBefore: 1/18/2010 8:00 PM
NotAfter: 1/18/2038 7:59 PM
Subject: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford
, S=Greater Manchester, C=GB
Serial: 4caaf9cadb636fe01ff74ed85b03869d
af e5 d2 44 a8 d1 19 42 30 ff 47 9f e2 f8 97 bb cd 7a 8c b4
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
Application[2] = 1.3.6.1.5.5.7.3.4 Secure Email
Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing
Application[4] = 1.3.6.1.5.5.7.3.8 Time Stamping
Application[5] = 1.3.6.1.4.1.311.10.3.4 Encrypting File System
Application[6] = 1.3.6.1.5.5.7.3.6 IP security tunnel termination
Application[7] = 1.3.6.1.5.5.7.3.7 IP security user
Exclude leaf cert:
80 98 de 5e 8f 00 8a b8 19 21 23 cd 96 bd f4 ae a8 5c 9e cc
Full chain:
9c 7b 73 21 92 d4 b7 70 36 52 f5 e8 9f cb 16 25 a6 6a b9 77
------------------------------------
Verified Issuance Policies:
1.3.6.1.4.1.6449.1.2.2.7
2.23.140.1.2.1
Verified Application Policies:
1.3.6.1.5.5.7.3.1 Server Authentication
1.3.6.1.5.5.7.3.2 Client Authentication
Cert is an End Entity certificate
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.
在工作网络服务器上验证命令:
Issuer:
CN=COMODO RSA Domain Validation Secure Server
O=COMODO CA Limited
L=Salford
S=Greater Manchester
C=GB
Name Hash(sha1): 7ae13ee8a0c42a2cb428cbe7a605461
Name Hash(md5): 737301010f9ec759d54329bbb1553aa2
Subject:
CN=cjtrainor.com
OU=COMODO SSL Unified Communications
OU=Domain Control Validated
Name Hash(sha1): d75889ccf0886cb2b6873fedbdcf079
Name Hash(md5): a584a7d4ec9fb308a698d4921379f5bd
Cert Serial Number: bd4d0f693ab0104ac9f1b45003d613
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x2000000
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXC
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERR
ChainContext.dwRevocationFreshnessTime: 19 Hours,
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRE
SimpleChain.dwRevocationFreshnessTime: 19 Hours, 1
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=
Issuer: CN=COMODO RSA Domain Validation Secure S
L=Salford, S=Greater Manchester, C=GB
NotBefore: 6/8/2015 8:00 PM
NotAfter: 11/1/2015 7:59 PM
Subject: CN=cjtrainor.com, OU=COMODO SSL Unified
trol Validated
Serial: bd4d0f693ab0104ac9f1b45003d6138d
SubjectAltName: DNS Name=cjtrainor.com, DNS Name
S Name=cjtrainor.local
159a6c714a10cc6673a91e054976f5db2e61fb41
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_
CRL (null):
Issuer: CN=COMODO RSA Domain Validation Secure
d, L=Salford, S=Greater Manchester, C=GB
ThisUpdate: 7/8/2015 8:26 PM
NextUpdate: 7/12/2015 8:26 PM
bf512c78f12e36d6fd4b8d7430d38b516c49368c
Issuance[0] = 1.3.6.1.4.1.6449.1.2.2.7
Issuance[1] = 2.23.140.1.2.1
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authen
Application[1] = 1.3.6.1.5.5.7.3.2 Client Authen
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=
Issuer: CN=COMODO RSA Certification Authority, O
S=Greater Manchester, C=GB
NotBefore: 2/11/2014 8:00 PM
NotAfter: 2/11/2029 7:59 PM
Subject: CN=COMODO RSA Domain Validation Secure
, L=Salford, S=Greater Manchester, C=GB
Serial: 2b2e6eead975366c148a6edba37c8c07
39a61d2d782814f35f619b1641b1d5cf57dd9c33
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_
CRL (null):
Issuer: CN=COMODO RSA Certification Authority,
d, S=Greater Manchester, C=GB
ThisUpdate: 7/8/2015 10:49 PM
NextUpdate: 7/12/2015 10:49 PM
291aa1576538dd0005d5daf2bfc9c9695ad3d668
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authen
Application[1] = 1.3.6.1.5.5.7.3.2 Client Authen
CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=
Issuer: CN=COMODO RSA Certification Authority, O
S=Greater Manchester, C=GB
NotBefore: 1/18/2010 8:00 PM
NotAfter: 1/18/2038 7:59 PM
Subject: CN=COMODO RSA Certification Authority,
, S=Greater Manchester, C=GB
Serial: 4caaf9cadb636fe01ff74ed85b03869d
b48c7acdbb97f8e29f47ff304219d1a844d2e5af
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authen
Application[1] = 1.3.6.1.5.5.7.3.2 Client Authen
Application[2] = 1.3.6.1.5.5.7.3.4 Secure Email
Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing
Application[4] = 1.3.6.1.5.5.7.3.8 Time Stamping
Application[5] = 1.3.6.1.4.1.311.10.3.4 Encrypti
Application[6] = 1.3.6.1.5.5.7.3.6 IP security t
Application[7] = 1.3.6.1.5.5.7.3.7 IP security u
Exclude leaf cert:
184db2fbca0995333804bb28f9d0cb6026978692
Full chain:
7dd2a6cd15b069fb11faca26f40bf48b2d7197a4
------------------------------------
Verified Issuance Policies:
1.3.6.1.4.1.6449.1.2.2.7
2.23.140.1.2.1
Verified Application Policies:
1.3.6.1.5.5.7.3.1 Server Authentication
1.3.6.1.5.5.7.3.2 Client Authentication
Cert is an End Entity certificate
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.